Privacy Policy
Payzium Corp (USA) and Payzium Holding Inc. (Canada)
Effective date: May 4, 2026 Last reviewed: May 4, 2026
1. About this Policy
This Privacy Policy explains how the Payzium group of companies collects, uses, discloses, and protects personal information in connection with payzium.com, statementsavings.com, the Payzium audit submission process, related communications, and any other website, application, or service that links to this Policy (collectively, the "Services").
Two responsible entities. Payzium operates through two affiliated entities. Which entity is the "controller" (for European Union and United Kingdom purposes), the "business" (for United States purposes), or the "enterprise" in charge of personal information (for Quebec purposes) depends on where you are located:
- Payzium Corp, a Delaware corporation, is responsible for personal information collected from individuals located in the United States, Mexico, the Caribbean, and any jurisdiction that is not Canada or the European Economic Area, the United Kingdom, or Switzerland.
- Payzium Holding Inc., a Quebec corporation, is responsible for personal information collected from individuals located in Canada, the European Economic Area, the United Kingdom, and Switzerland.
References to "Payzium," "we," "us," and "our" in this Policy mean whichever entity above is responsible for your personal information based on your location. The two entities share infrastructure, vendors, and operating standards as described in this Policy.
Audience. Our Services are directed to businesses and the individuals who act on their behalf (owners, operators, accountants, controllers, partners). We do not knowingly direct the Services to consumers in their personal capacity or to children under 18.
2. Information We Collect
2.1 Information you provide directly
When you request a free audit, contact us, become a partner, or otherwise interact with us, we collect:
- Contact and identity information: name, email address, phone number, business role.
- Business information: legal business name, doing-business-as name, business address, country and region of operation, industry vertical, processing volume range, current processor (where you choose to share it).
- Merchant processing statement information: PDF, PNG, or JPG copies of merchant processing statements you upload to us, which typically contain processing volumes, transaction counts, fee schedules, effective rates, account identifiers, and similar payment-acceptance data.
- Communications: the content of emails, calls, chat messages, voicemails, and other communications you send to us, including any information you choose to include in them.
- Authorization records: a record of your acknowledgement that you authorize Payzium to analyze the statement(s) you submit and contact you about the results.
2.2 Information we collect automatically
When you use our Services, we automatically collect:
- Device and connection data: IP address, browser type and version, operating system, device type, screen size, language preferences, and the dates and times of your interactions with the Services.
- Usage data: pages viewed, links clicked, scroll depth, form interactions, referring URL, and the landing page on which you first arrived.
- Attribution data: query-string parameters present in URLs you use to reach us, including UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content), Google Click Identifiers (gclid), Meta Click Identifiers (fbclid), and equivalent identifiers from other advertising platforms.
- Local-storage attribution: on first arrival, we write the attribution data above, the landing URL, the HTTP referrer, the user agent string, and a capture timestamp into your browser's localStorage under the key
payzium_attribution. This entry is retained for up to 90 days, after which it is treated as expired and re-captured on the next visit. We use first-touch attribution: an existing unexpired entry is not overwritten by a later visit. This entry stays on your device until it expires, you submit a form (in which case the values are sent to us with the submission), or you clear your browser storage. - Server logs: Vercel records standard request logs (URL requested, status code, IP address, timestamp, response time) for security and operational purposes.
Cookies and similar technologies. Our primary website analytics provider, Plausible, does not use cookies and does not track individuals across sites. We use cookies and equivalent technologies only where necessary to operate the Services (for example, to remember your privacy choices), and where applicable to support paid-advertising measurement when you arrive from a paid campaign. We do not place advertising cookies for retargeting before you have provided the consent required in your jurisdiction. The localStorage attribution entry described above is a similar technology and is governed by the same consent rules where consent is required.
2.3 Information we receive from third parties
- Phone number validation. When you submit a phone number on our audit form, we send the number and country code to Twilio, Inc. for validation through its Lookup v2 service. Twilio returns a normalized E.164-formatted number, line type, and carrier name. We retain the validated outputs alongside your submission.
- Business intelligence enrichment. We may enrich submissions with publicly available business information (for example, NAICS classification, location coordinates, web presence) from data providers and public sources, in order to improve our audit quality and to verify identity.
- Partners and referrers. Where you reach our Services through a referral partner or where a partner submits information on your authorized behalf, we receive your contact information and any business information the partner has provided.
- Advertising platforms. Where you arrive from a paid campaign, the originating platform may share aggregated or click-level information with us to attribute the lead.
3. Why We Use Personal Information
We use personal information for the following purposes:
- Provide the audit. Parse, analyze, and benchmark your merchant processing statement, generate audit findings, and deliver the results to you.
- Communicate with you. Confirm submissions, deliver audit results, follow up on questions, send service updates, and respond to your inquiries.
- Verify and authenticate. Validate the contact information you provide (including phone validation through Twilio Lookup), confirm authorization, and reduce duplicate or fraudulent submissions.
- Improve our Services. Analyze aggregate usage patterns, conversion behavior, and audit accuracy in order to improve the website, the audit deliverable, and the customer experience.
- Marketing and outreach. Where permitted by applicable law, send you commercial communications about Payzium services that we believe will be relevant to your business. You can opt out at any time.
- Comply with law and protect rights. Comply with applicable legal obligations (tax, accounting, anti-fraud, anti-money-laundering, sanctions screening), respond to lawful requests, and exercise or defend legal claims.
- Operate our partner program. Where you participate as a partner or sub-partner, manage the relationship, calculate compensation, and audit performance under the partner agreement.
4. Legal Basis for Processing
Where required by law (in particular, the General Data Protection Regulation in the European Union and the United Kingdom, and the Quebec Act respecting the protection of personal information in the private sector, as amended by Law 25), we rely on one or more of the following legal bases:
- Performance of a contract or steps requested before entering a contract: for example, to deliver the audit you have requested or to onboard you as a partner.
- Legitimate interests: for example, to operate, secure, and improve our Services, to prevent fraud, to conduct B2B outreach to business contacts in the course of commercial activity, and to maintain audit and accounting records. We have assessed these interests against the rights and freedoms of the individuals concerned.
- Consent: for example, where you submit a statement and authorize the analysis, where consent is required under Quebec Law 25 for the use or disclosure of personal information, where required for marketing communications, and where required to read or write information on your device.
- Compliance with legal obligations: for example, to retain transaction records for tax purposes or to respond to lawful regulatory or governmental requests.
- Protection of vital interests or public interest: in narrow circumstances where required by applicable law.
Quebec specifically. Under Quebec Law 25, our collection, use, and communication of your personal information is governed by the principles of necessity, transparency, purpose limitation, and consent (express where required, implied only where the law permits). The Person in Charge of the Protection of Personal Information for Payzium Holding Inc. is named in the Contact section below.
5. How We Share Personal Information
We share personal information only as described below.
5.1 Within the Payzium group
We share personal information between Payzium Corp and Payzium Holding Inc. for shared infrastructure, customer support, partner administration, and consolidated security and accounting functions, under written safeguards that hold the receiving entity to the same standards as the originating entity.
5.2 Service providers (sub-processors)
We share personal information with vendors who process it on our behalf, under written contracts that restrict use to the purposes we direct, require security measures appropriate to the risk, and prohibit independent use of the information. Our current sub-processors are:
| Sub-processor | Function | Categories of personal information | Location of processing |
|---|---|---|---|
| Vercel Inc. | Website hosting, application infrastructure, analytics | All form submissions in transit, IP address, user agent, browser metadata | United States |
| Vercel Inc. (Blob storage) | Storage of uploaded merchant statements | Merchant processing statements (PDF/PNG/JPG) which may contain merchant business name, processing volumes, fee structures, and account identifiers | United States |
| Airtable Inc. | Submission database, partner portal, internal record-keeping | Contact information, business information, audit submission metadata, attribution data | United States |
| Resend Inc. | Transactional email delivery (audit confirmations, follow-ups) | Email address, name, audit reference identifiers | United States |
| Twilio Inc. | Phone number validation via Lookup v2 | Phone number, country code | United States |
| Plausible Insights OÜ | Privacy-respecting website analytics (no cookies, no cross-site tracking) | Aggregate page-view data, hashed and anonymized session identifiers, country-level geolocation | European Union (Estonia/Germany) |
| Google LLC (Google Analytics 4 / Google Ads, when applicable to paid traffic) | Conversion tracking and audience measurement on paid campaigns | IP address, device identifiers, click identifiers (gclid), interaction events | United States; transfers governed by EU Standard Contractual Clauses where applicable |
| Anthropic PBC and large language model providers | Automated parsing and analysis of statement data for the audit deliverable | De-identified statement content; we strip merchant business names and account numbers from prompts where technically feasible before model invocation | United States |
This list is current as of the effective date above. We will update it when we add or replace a material sub-processor. Where you have an active business relationship with us and we add a sub-processor that is material to your engagement, we will notify you with reasonable advance notice.
5.3 Partners
Where you submit a request through one of our authorized partners (for example, a referral partner or a call-center partner operating under our Partner Program), we share submission status and high-level outcome information with that partner so they can serve you and so we can administer the partner agreement. Partners are contractually prohibited from independently retaining, copying, forwarding, or marketing to your information beyond what is necessary to support the engagement.
5.4 Acquirers and processors
Where you choose to switch merchant processing through a Payzium recommendation, we share the information necessary to facilitate the switch (for example, your business and contact information, statement copies, and authorization records) with the acquiring bank, payment processor, or independent sales organization that will board the new account. The receiving acquirer or processor becomes an independent controller of your information for its own regulatory and business purposes once it accepts the application.
5.5 Professional advisors and corporate transactions
We may share personal information with our auditors, lawyers, accountants, and insurers under duties of confidentiality. If Payzium is involved in a merger, acquisition, financing, reorganization, sale of assets, or insolvency, personal information may be transferred as part of that transaction, subject to confidentiality protections and applicable law.
5.6 Legal and safety
We may share personal information when we believe in good faith that the disclosure is necessary to comply with applicable law or legal process, to enforce our terms, to protect our rights, property, or safety, or the rights, property, or safety of others, or to investigate fraud or security incidents.
No sale of personal information. We do not sell personal information for monetary consideration. The disclosures described in this Policy may, depending on jurisdiction, be considered "sharing" for cross-context behavioral advertising or comparable defined terms in some United States state laws. See Section 11 for the rights available to you, including the right to opt out of any such sharing.
6. International Data Transfers
Payzium operates from the United States and Canada and uses sub-processors that are primarily located in the United States. As a result, personal information that we collect in Canada, the European Economic Area, the United Kingdom, or Switzerland is transferred to and processed in the United States and other jurisdictions whose privacy laws may differ from those of your home jurisdiction.
Quebec. Before transferring personal information outside Quebec, we conduct a Privacy Impact Assessment under Quebec Law 25, taking into account the sensitivity of the information, the purpose of the transfer, the protection measures (including contractual, technical, and organizational), and the legal regime applicable in the destination jurisdiction. We enter into written agreements with all sub-processors that include data protection commitments and audit rights.
European Economic Area, United Kingdom, Switzerland. Where we transfer personal information from these jurisdictions to the United States or another third country, we rely on the European Commission's Standard Contractual Clauses (and the United Kingdom International Data Transfer Addendum or the Swiss equivalent, where applicable) or another lawful transfer mechanism, supplemented by additional technical, contractual, and organizational measures where appropriate.
You may request a copy of the relevant transfer mechanism by contacting us using the details in Section 13.
7. How Long We Keep Personal Information
We keep personal information only for as long as necessary for the purposes described in this Policy, after which we delete or de-identify it. The actual periods depend on the type of information and the legal, accounting, and operational obligations that apply:
- Audit submissions and statements: retained for the duration of your engagement and for up to seven (7) years after the last interaction, to comply with tax, accounting, and dispute-resolution obligations. Statement files stored in Vercel Blob are subject to the same period and are protected by access controls.
- Contact and CRM records: retained while you remain a customer, prospect, or partner, and for up to thirty-six (36) months after the last interaction unless a longer period is required by law or by an active engagement.
- Communications: retained while necessary to support the relationship and to demonstrate compliance, generally up to seven (7) years.
- Server and security logs: retained for up to twelve (12) months for security, debugging, and abuse-prevention purposes.
- Local-storage attribution entry on your device: expires automatically after 90 days, or sooner if you clear your browser storage.
- Plausible analytics: Plausible does not retain individual-level identifiers; aggregate analytics are retained for as long as needed for product and marketing analysis.
- Marketing data: retained until you unsubscribe or until thirty-six (36) months after the last engagement, whichever is shorter, unless you re-engage.
- Records to evidence consent and rights requests: retained as long as required by applicable law to evidence our compliance.
8. How We Protect Personal Information
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit, access controls based on role and least privilege, infrastructure logging and monitoring, secure software development practices, sub-processor due diligence, and incident-response procedures.
No method of transmission or storage is completely secure. We cannot guarantee absolute security.
Breach notification. If we learn of a confidentiality incident that creates a risk of serious injury under Quebec Law 25, a personal data breach under the GDPR, a breach of security safeguards under PIPEDA, or a notifiable security incident under any United States state law, we will notify the relevant supervisory authority and affected individuals in accordance with the timelines and content requirements of the applicable law.
9. Automated Processing and AI
We use automated processing, including software powered by large language models, to parse merchant processing statements, classify line items, calculate effective rates, compute industry benchmarks, and generate the analytical content of the audit deliverable. A human reviewer at Payzium reviews material outputs before they are communicated to you.
The decision whether you switch processors, take any action recommended in an audit, or engage Payzium further always rests with you. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without human involvement.
Quebec specifically. Where Quebec Law 25 applies, you have the right to be informed when a decision concerning you is based exclusively on automated processing, to obtain the principal personal information used to render the decision and the principal factors and parameters that led to it, to have your observations considered, and to request that the decision be reviewed.
Model providers. We send statement content to AI model providers (currently Anthropic) only to obtain the analytical output we deliver to you. We instruct providers not to retain prompts or completions for training, and we strip business names and account numbers from prompts where technically feasible.
10. Children's Privacy
Our Services are intended for businesses and the individuals who act on their behalf in a professional capacity. We do not knowingly collect personal information from children under the age of 18 (or under the equivalent local age of digital consent). If you believe a child has submitted personal information to us, please contact us using the details in Section 13 and we will delete the information.
11. Your Privacy Rights
Depending on where you are located, you have some or all of the following rights with respect to your personal information. We honor these rights regardless of citizenship where the law applies based on your location.
| Right | What it means |
|---|---|
| Access | You can ask for a copy of the personal information we hold about you and information about how we process it. |
| Rectification | You can ask us to correct inaccurate or incomplete personal information. |
| Erasure / deletion | You can ask us to delete your personal information, subject to our legitimate retention obligations (for example, tax, accounting, fraud-prevention, and dispute records). |
| Restriction of processing | You can ask us to limit the use of your personal information in specified circumstances. |
| Portability | You can ask us to provide a structured, commonly-used, machine-readable copy of personal information you provided to us, and where technically feasible, to transmit it to another organization. |
| Objection | You can object to processing based on legitimate interests, including direct marketing. |
| Withdraw consent | Where processing is based on consent, you can withdraw consent at any time without affecting prior lawful processing. |
| De-indexing (Quebec) | Under Quebec Law 25, you may request that we de-index personal information in defined circumstances where the dissemination causes serious injury that outweighs the public interest. |
| Automated decision-making | You can request information about, and where applicable contest, decisions made solely on automated processing that produce legal or similarly significant effects. |
| Lodge a complaint | You may lodge a complaint with your local supervisory authority. See the Contact section below for the relevant authority by jurisdiction. |
11.1 Quebec residents
Under the Quebec Act respecting the protection of personal information in the private sector (as amended by Law 25), you have the rights of access, rectification, withdrawal of consent, de-indexing, ceased dissemination, and portability described above. You may also lodge a complaint with the Commission d'accès à l'information du Québec.
11.2 Other Canadian residents
Under PIPEDA and substantially similar provincial laws (Alberta PIPA, British Columbia PIPA), you have rights of access, correction, withdrawal of consent, and complaint to the Office of the Privacy Commissioner of Canada or your provincial commissioner.
11.3 European Economic Area, United Kingdom, and Switzerland
Under the GDPR, the United Kingdom GDPR, and the Swiss Federal Act on Data Protection, you have the rights of access, rectification, erasure, restriction, portability, and objection described above, plus the right to lodge a complaint with your local supervisory authority.
11.4 California residents
Under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), you have the right to know, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising any of these rights. We do not sell personal information for monetary consideration. Where we engage in "sharing" as that term is defined under the CPRA, you may opt out using the contact details below or, where presented, the "Do Not Sell or Share My Personal Information" link on our website. We honor Global Privacy Control (GPC) signals.
Categories of personal information collected (CCPA notice at collection): identifiers, customer records, commercial information, internet or other electronic network activity, geolocation information (general), professional or employment-related information, and inferences drawn from the foregoing. Sensitive personal information collected: phone number, account log-in credentials only if you create an account, and (where included in submitted statements) financial account identifiers. We use sensitive personal information only for the purposes permitted under the CPRA without further consent.
11.5 Other United States residents
If you reside in a state with a comprehensive consumer privacy law (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Kentucky, Rhode Island, and others as applicable), you have rights similar to those above, including access, deletion, correction, portability, and opt-out of targeted advertising and certain sales. To exercise these rights, follow the procedure in Section 12.
12. How to Exercise Your Rights
To exercise any of the rights above, contact us using the details in Section 13. We may need to verify your identity before completing the request, in a manner proportionate to the sensitivity of the information and the risk of harm from unauthorized disclosure.
We will respond within the timeframe required by the applicable law (generally 30 days, extendable in certain cases). There is no fee for most requests. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded, excessive, or repetitive, as permitted by law.
If we deny a request in whole or in part, we will explain the reason and inform you of your right to appeal (where applicable) and to lodge a complaint with the relevant supervisory authority.
Authorized agents. You may use an authorized agent to submit a request on your behalf, with appropriate proof of authorization. We may contact you to verify the request directly.
13. How to Contact Us
13.1 Person in Charge of the Protection of Personal Information (Quebec) and Privacy Contact
Maurizio Verrelli, President, has been designated as the Person in Charge of the Protection of Personal Information for Payzium Holding Inc. under Quebec Law 25, and serves as the privacy contact for the Payzium group of companies.
Email: privacy@payzium.com
13.2 Mailing addresses
Payzium Corp (USA) Attention: Privacy [INSERT DELAWARE REGISTERED ADDRESS] [INSERT PRINCIPAL US OFFICE ADDRESS]
Payzium Holding Inc. (Canada) Attention: Person in Charge of the Protection of Personal Information [INSERT QUEBEC REGISTERED ADDRESS, MONTREAL]
13.3 Supervisory authorities
If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local supervisory authority. Examples include:
- Quebec: Commission d'accès à l'information du Québec (cai.gouv.qc.ca)
- Canada (federal): Office of the Privacy Commissioner of Canada (priv.gc.ca)
- European Economic Area: the data protection authority of the country in which you reside, work, or where the alleged infringement took place
- United Kingdom: Information Commissioner's Office (ico.org.uk)
- California: California Privacy Protection Agency (cppa.ca.gov) and California Attorney General (oag.ca.gov)
14. Changes to This Policy
We may update this Policy from time to time. When we do, we will revise the "Effective date" and "Last reviewed" dates at the top. If the changes are material, we will provide additional notice (for example, by email to active customers, by a banner on the Services, or as required by applicable law) before the changes take effect. We encourage you to review this Policy periodically.
15. Definitions
"Personal information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, as defined under the applicable law in your jurisdiction.
"Sensitive personal information" has the meaning given to it under the applicable law in your jurisdiction (for example, the CPRA, Quebec Law 25, or the GDPR), and may include precise geolocation, financial account identifiers, government identifiers, biometric information, health information, account credentials, and the contents of communications.
"Process" (and its conjugations) means any operation performed on personal information, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure, and destruction.
"Sub-processor" means a third party engaged by Payzium to process personal information on Payzium's behalf and under Payzium's instructions.
"Services" has the meaning given in Section 1.